# MFA Fatigue Attacks
Definition
MFA fatigue attacks (also called MFA bombing or push notification spam) exploit the human element of multi-factor authentication by bombarding a target with repeated push notification approval requests until the user approves one out of frustration, confusion, or a desire to make the notifications stop. The attacker already possesses the victim's username and password (obtained through phishing, credential stuffing, or data breaches) and repeatedly initiates login attempts, triggering MFA push notifications to the victim's device. This attack bypasses MFA without any technical vulnerability in the MFA system itself.
How It Works
The attack follows a straightforward sequence:
- Credential Acquisition: The attacker obtains valid credentials through phishing, credential stuffing (testing leaked passwords), purchasing credentials on dark web markets, or social engineering. This is a prerequisite, not part of the MFA fatigue attack itself.
- Repeated Login Attempts: The attacker automates login attempts using the stolen credentials. Each attempt triggers an MFA push notification to the victim's enrolled device.
- Notification Flooding: The victim's phone buzzes repeatedly with MFA approval requests. The attacker may send dozens or hundreds of requests over minutes or hours.
- Social Engineering Augmentation: In more sophisticated variants, the attacker contacts the victim via text message, phone call, or internal messaging (posing as IT helpdesk) and instructs them to approve the notification to "resolve a system issue" or "complete a security update."
- Victim Approval: The victim eventually approves a notification due to:
- Fatigue (tapping "Approve" to stop the buzzing)
- Confusion (believing a system malfunction is causing repeated notifications)
- Social engineering (following instructions from the supposed IT helpdesk)
- Accident (approving while attempting to dismiss the notification, especially at night)
- Account Takeover: Upon approval, the attacker gains authenticated access to the account with full privileges.
Why Push-Based MFA is Vulnerable: Simple push notifications present a binary choice (approve/deny) without requiring the user to verify any contextual information. The user does not see where the login is originating from, what device initiated it, or any information that would distinguish a legitimate request from an attack.
Why It Matters
MFA fatigue attacks have been used in high-profile breaches of major organizations:
- Uber (2022): The Lapsus$ group used MFA fatigue combined with social engineering (posing as IT support on Slack) to compromise an Uber contractor's account, gaining access to internal systems.
- Cisco (2022): An attacker used MFA fatigue combined with voice phishing to compromise an employee's Google account, which was synced with Cisco's corporate credentials.
- Microsoft (2022): Lapsus$ group used MFA fatigue to access Microsoft's internal DevOps environment.
These attacks demonstrate that MFA, while far better than passwords alone, is not impervious. Push-based MFA that relies on simple approve/deny notifications is particularly vulnerable because it places the burden on the human to make a correct decision under pressure, exactly the situation where humans fail.
The fix is not to abandon MFA but to upgrade to phishing-resistant methods. FIDO2/WebAuthn hardware keys, number matching (requiring the user to enter a code displayed on the login screen), and additional context (geographic location, device information) in push notifications all mitigate this attack.
Real-World Applications
- Enterprise Accounts: Attackers target employees of high-value organizations using credentials from prior breaches, then use MFA fatigue to bypass push-based MFA.
- VPN Access: MFA fatigue against VPN authentication gives attackers a foothold inside the corporate network.
- Cloud Platforms: Compromising cloud admin accounts through MFA fatigue provides access to entire cloud environments.
- Code Repositories: Developers with access to source code repositories are targeted to enable supply chain attacks.
- Financial Accounts: Banking and brokerage accounts with push-based MFA are targeted for direct financial theft.
CDA Perspective
MFA fatigue attacks are addressed under CDA's Identity Access & Trust (IAT) domain using the Zero Possession Architecture (ZPA) methodology. The solution is clear: upgrade MFA to phishing-resistant methods.
CDA's approach:
- M-IAT-R01 inventories all MFA methods in use across the organization and identifies push-only MFA as a vulnerability
- M-IAT-H01 implements phishing-resistant MFA (FIDO2/WebAuthn hardware keys) for all users, prioritizing administrative and high-privilege accounts
- M-IAT-H02 configures number matching and additional context for push notifications where FIDO2 deployment is in progress
- M-TID-H02 implements anomaly detection for MFA fatigue patterns (repeated failed MFA followed by single success)
CDA's position: simple push-based MFA is a stepping stone, not a destination. FIDO2 hardware keys are the standard. Number matching is the minimum acceptable interim measure. Simple approve/deny push notifications should be retired.
Key Takeaways
- MFA fatigue attacks flood users with push notification requests until they approve one
- The attacker must already have valid credentials; MFA fatigue bypasses the second factor
- High-profile breaches at Uber, Cisco, and Microsoft used this technique
- Simple approve/deny push notifications are the vulnerable MFA method
- Number matching (entering a code from the login screen) mitigates the attack
- FIDO2/WebAuthn hardware keys are phishing-resistant and immune to MFA fatigue